locked
When will the Exchange 2010 Management Pack be fixed? (extest account keeps getting locked out) RRS feed

  • Question

  • It seems like everyone is complaining that the test account keeps getting locked out by SCOM which causes all kinds of alerts related to any test that uses that account.

    This solution doesn't work as it breaks Outlook Anywhere/RPC-HTTP: http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b2022687&sd=rss&spid=13965

    Running SCOM 2007R2 Update Rollup 2.

    Any help is appreciated.

    I have no problem calling Microsoft PSS but it is obvious that no fix for this exists even though the issue appears to be widely spread and well known.

    Thanks!

    Jason

    Tuesday, June 8, 2010 6:44 PM

Answers

  • The account lockout is being addressed in documentation in the next exchange MP update.  If you are running the logins with any other run-as profile other than localsystem account, the lockout conditions will occur.  To remedy this, make sure that those workflows have a localsystem runas account mapping.
    Microsoft Corporation
    • Marked as answer by Dan Rogers Wednesday, June 16, 2010 2:58 PM
    Wednesday, June 16, 2010 2:58 PM

All replies

  • There is another fix. A better one.
    Go in AD Users and Computers.
    Right click the extest user account (something like extest_a5a1dc3217etc)
    Go to the Account tab and under Account options check "Do not require Kerberos preauthentication".
    That will fix the locking problem.

    • Proposed as answer by ApplicationNet Monday, November 19, 2012 7:37 PM
    • Unproposed as answer by ApplicationNet Monday, November 19, 2012 7:37 PM
    • Proposed as answer by ApplicationNet Monday, November 19, 2012 7:38 PM
    • Unproposed as answer by ApplicationNet Monday, November 19, 2012 7:38 PM
    • Proposed as answer by ApplicationNet Monday, November 19, 2012 7:38 PM
    • Unproposed as answer by ApplicationNet Monday, November 19, 2012 7:38 PM
    Tuesday, June 8, 2010 7:20 PM
  • There is another fix. A better one.
    Go in AD Users and Computers.
    Right click the extest user account (something like extest_a5a1dc3217etc)
    Go to the Account tab and under Account options check "Do not require Kerberos preauthentication".
    That will fix the locking problem.

    Thanks for the tip.

    I tried it and SCOM seemed to hammer away at my CAS servers to the point that OWA was returning 500 errors (sample CAS event log error at the end of this post). As soon as I undid the change the CAS servers were usable again (And the extest count locked again of course).

    Not sure what is wrong with this management pack but it is frustrating.

    Jason

    Error text:

    (PID 1340, Thread 28) Task Test-OutlookConnectivity writing error when processing record of index 0. Error: System.ArgumentNullException: Value cannot be null.

    Parameter name: value

    at Microsoft.Exchange.ExchangeSystem.EnumValidator`1.TryParse(String value, EnumParseOptions options, T& result)

    at Microsoft.Exchange.ExchangeSystem.EnumValidator`1.Microsoft.Exchange.ExchangeSystem.IEnumConvert.TryParse(String value, EnumParseOptions options, Object& result)

    at Microsoft.Exchange.ExchangeSystem.EnumValidator.TryParse(Type enumType, String value, EnumParseOptions options, Object& result)

    at Microsoft.Exchange.ExchangeSystem.EnumValidator.TryParse[T](String value, EnumParseOptions options, T& result)

    at Microsoft.Exchange.Monitoring.AutodiscoverTask.AutodiscoverEnd(IAsyncResult asyncResult)

    at System.Net.LazyAsyncResult.Complete(IntPtr userToken)

    at System.Net.ContextAwareResult.CaptureOrComplete(ExecutionContext& cachedContext, Boolean returnContext)

    at System.Net.ContextAwareResult.FinishPostingAsyncOp()

    at System.Net.HttpWebRequest.BeginGetResponse(AsyncCallback callback, Object state)

    at Microsoft.Exchange.Management.SystemConfigurationTasks.AutoDiscoverClient.<>c__DisplayClass6.<>c__DisplayClass8.<BeginInvoke>b__5(ICredentials credentials)

    at Microsoft.Exchange.Management.SystemConfigurationTasks.CredentialsImpersonator.Impersonate(ImpersonateDelegate impersonateDelegate)

    at Microsoft.Exchange.Management.SystemConfigurationTasks.AutoDiscoverClient.<>c__DisplayClass6.<BeginInvoke>b__4()

    at Microsoft.Exchange.Management.SystemConfigurationTasks.AutoDiscoverClient.ExecuteAndReportErrors[T](Func`1 func)

    at Microsoft.Exchange.Management.SystemConfigurationTasks.TestOutlookWebServices.InternalDiscover(List`1 endpoints, String emailAddress, AsyncCallback asyncCallback)

    at Microsoft.Exchange.Monitoring.AutodiscoverTask.AutodiscoverBegin(AsyncResult`1 result)

    at Microsoft.Exchange.Monitoring.AutodiscoverTask.<BuildTransactions>d__1.MoveNext()

    at Microsoft.Exchange.Monitoring.OutlookConnectivityBase.<BuildTransactionHelper>d__0.MoveNext()

    at Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask.RunTasksWithTimeout(ExDateTime expireTime, IEnumerable`1 task)

    at Microsoft.Exchange.Monitoring.TestOutlookConnectivityTask.InternalProcessRecord()

    at Microsoft.Exchange.Configuration.Tasks.Task.ProcessRecord()

     


    Wednesday, June 9, 2010 12:58 PM
  • The account lockout is being addressed in documentation in the next exchange MP update.  If you are running the logins with any other run-as profile other than localsystem account, the lockout conditions will occur.  To remedy this, make sure that those workflows have a localsystem runas account mapping.
    Microsoft Corporation
    • Marked as answer by Dan Rogers Wednesday, June 16, 2010 2:58 PM
    Wednesday, June 16, 2010 2:58 PM
  • The account lockout is being addressed in documentation in the next exchange MP update.  If you are running the logins with any other run-as profile other than localsystem account, the lockout conditions will occur.  To remedy this, make sure that those workflows have a localsystem runas account mapping.
    Microsoft Corporation

    Thanks; I will do that.
    Wednesday, June 23, 2010 6:45 PM
  • While we are at it, can we also look into why if we select to overide a the pop3 and imap alerts, nothing happens? If we disable, or override these alerts the effective result is that the alerts just keep on coming. This is ofcourse referring the to the MX2010 MP.
    Monday, July 26, 2010 6:23 PM
  • Hi Dan, any updates on that? I'm having this with customer I manage remotely (using certificates) with SCOM and the accounts keeps being locked out, even though I'm running the agent using the localsystem account. I also get the alert below. It's probably related:

    While processing an AS request for target service krbtgt, the account extest_b648f8aeac944 did not
    have a suitable key for generating a Kerberos ticket (the missing key has an ID

    I changed the account not to use Kerberos and it seems to work so far.

    Thanks,

    Jose Fehse

     

     


    MCSE
    Tuesday, September 7, 2010 2:23 PM
  • Hi Dan, I would also be intrested in an update as I am running into this continuously,

    Gordon

    Tuesday, September 21, 2010 4:01 PM
  • Hi Mark,

    This is because Correlation engine is using Operations Manager SDK service .

    Copy exact rule name starting from "KHI:" from the alert and go to Authoring tab in console. Find this rule and disable by override "For All objects of class: Root Management Server" This kind of override doesn't exist when you are trying to do so from alert description.

    Explanation:

    As a part of configuration Exchange 2010 MP you have to provide the name of your RMS in Microsoft.Exchange.Monitoring.CorrelationEngine.exe.config which supposed to be located by default on c:\Program Files\Microsoft\Exchange Server\V14\Bin 

    From the Microsoft MP guide:

    "Determine which server will host the Correlation Engine. While not strictly required, it is highly recommended that the Correlation Engine service is installed on the Operations Manager Root Management Server (RMS)" - I installed on my RMS, so the path is looking like on Exchange server c:\Program Files\Microsoft\Exchange Server\V14\Bin

    More information how to implement MP:

    http://www.systemcentercentral.com/BlogDetails/tabid/143/IndexID/67924/Default.aspx

    http://blogs.technet.com/b/kevinholman/archive/2010/05/01/installing-exchange-2010-into-a-test-lab.aspx

    http://www.toolzz.com/?p=102

    I hope this helps.

    Wednesday, December 1, 2010 10:52 AM
  • An update is expected within the first half of calendar year 2011.  We did hope to see it in the last half of 2010, but the MP is extremely complex and it is taking a lot longer to get it ready to release than anyone anticipated.
    Microsoft Corporation
    Monday, December 6, 2010 4:35 PM
  • Dan,

    Is it possible to rename those accounts?

    We have a naming convention to follow and "extest_12345678" doesn't fit there.

    Thanks.

    Juan

    Tuesday, May 31, 2011 2:11 PM
  • Dan,

    Was this ever fixed?

    Thanks,

    John

    Wednesday, October 31, 2018 11:58 AM